p0-c4-api-error-leakage

donetype/backlogpriority/p0severity/criticaltopic/authtopic/info-leak

p0 · C4 · API error responses leak internal detail

TL;DR

Shipped in f21f71d: production 5xx responses return generic "Internal server error"; 4xx detail preserved; apiHandler uses logger.error with structured context.

Status: done (2026-05-18, confirmed 2026-05-24) · Source: [[Projects/personal-finance-notion/context/audit-2026-05-17-auth|Auth audit 2026-05-17 §C4]]

Shipped (app repo)

  • src/lib/apiHelper.tscode >= 500 && NODE_ENV === "production" → masked message
  • Structured logger.error in catch path (no console.error in handler)

Implementation checklist

  • [x] Mask 5xx details in production
  • [x] Keep 4xx validation messages for clients
  • [x] Full error in server logs via logger.error

Spun out

None — 100% complete per audit scope.

Related

  • App repo: src/lib/apiHelper.ts, src/lib/utils/logger.ts